Resources referneced within this lecture:

AWS Shared Responsibility Model

Transcript

I now want to talk to you about another VPC component, and that is the NAT gateway. To help explain what this does, let me just draw out our VPC quickly. So we have a very simple VPC, and we're gonna have two subnets in this VPC, we'll have a public subnet and also we'll have a private subnet as well, and it's the private subnet that we're going to be focusing on. 

So this will be our public, and the green one will be our private subnet. Now obviously we'll have an Internet gateway attached to our VPC, which will then connect out to the Internet. Okay, so we have a public subnet, and a private subnet. Now in our private subnet we'll have a number of EC2 instances running our applications, and in our public subnet we're likely to have a number of web servers as well. As we know, each of these subnets also have a route table attached. Public route table will have access to the Internet gateway, and also to the other private subnet. 

Now we need to start thinking about security again. Now, looking at our EC2 instances in the private subnet, we are responsible, as a part of the AWS Shared Responsibility Model, to update and patch the operating systems running on each of our EC2 instances. Now if you're not familiar with the AWS Shared Responsibility Model, I suggest you take a look at it. It's critical to all of your AWS deployments, and it essentially defines the boundaries of security as to what your roles and responsibilities are of implementing security within the cloud, and what AWS's responsibility is of maintaining security of the cloud. For more information, you can take a look at this blog post here. 

Okay, so with that in mind, if we have the responsibility of maintaining the operating systems of our EC2 instances, then we need to be able to download updates as and when we need to. However, this subnet is private. Meaning it has no access to the Internet gateway, and therefore the Internet, so how can we download those updates? Well, what we can do, we can add a NAT gateway. 

Now, a NAT gateway sits within the public subnet. Because it sits within the public subnet, it has to have a public IP address in the form of an EIP which is an Elastic IP address, and this is assigned to the instance itself. Now because it sits within the public subnet, it has a route out to the Internet gateway, and to the Internet. Now once we have our NAT gateway set up and configured, we need to update the route table of our private subnet. Now, by default our route table in our private subnet will just have the local route that all route tables have. But if we update that to provide a route to the NAT gateway, and we can see that I've added this additional route in here. Now this looks very familiar to the route we added to the public subnet to get access to the Internet via the Internet gateway, and it is essentially the same. So we'll add the 0.0.0.0/0 which is essentially a destination to any IP address unknown in the route table already. Then, send it to the target of the NAT gateway. And they can tell it's a NAT gateway as this first part here, is prefixed with nat. And then this section along here, is essentially the ID of the NAT gateway within your VPC. 

So what this route table is telling us, is that if any resource within this subnet needs to gain access to the Internet to perform an update, then it can do so via our NAT over here. This NAT gateway will then take the request, go via the Internet gateway, and download the appropriate software that's required, and send it back to the EC2 instance requesting it. Now the important thing with a NAT gateway, is that it will not accept any inbound communication initiated from the Internet. It will only accept outbound communications originating from within your VPC. So it will deny all inbound traffic that's been initiated from the Internet. 

Now the NAT gateway itself is managed by AWS, so you don't have to provision the instance itself. It's very easy to do, you simply create the NAT gateway, specify what subnet it should reside in, and associate an Elastic IP address, and AWS will manage all other configuration. Because it's managed by default, AWS will set up multiple NAT gateways for resiliency, but you'll only see the one NAT gateway within your account with the associated ID. 

Now, earlier I mentioned about configuring your resources across Multi-Availability Zones. So if you have multiple public subnets in different Availability Zones, you will need to set up another NAT gateway within that subnet as well. AWS will not automatically deploy a NAT gateway within each of your public subnets. 

So just as a quick summary, a NAT gateway allows instances within a private subnet access to the Internet, but the NAT gateway itself will block all incoming initiations from the Internet. So it protects the private subnet in that way. And this allows you to ensure that you maintain the security of your EC2 instances ensuring that their OS is kept up to date, and any patch management is taken care of as well. Now the next component I want to talk to you about is the bastion host. So let's take a look.